CVE-2016-0763

Published: 24 February 2016

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

From the Ubuntu security team

It was discovered that the Tomcat setGlobalContext method incorrectly checked if callers were authorized. A remote attacker could possibly use this issue to read or wite to arbitrary application data, or cause a denial of service.

Priority

Medium

CVSS 3 base score: 6.3

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
Upstream
Released (6.0.45)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (6.0.45+dfsg-1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (6.0.39-1ubuntu0.1)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726003
tomcat7
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.68-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(7.0.68-1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(7.0.68-1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.0.52-1ubuntu0.6)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1725931
tomcat8
Launchpad, Ubuntu, Debian
Upstream
Released (8.0.32-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(8.0.32-1ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(8.0.32-1ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1725929